Securing data storage

Demand for greater protection has fuelled convergence between storage and security giants as preserving and securing data becomes a paramount issue

ByPublished
December 16, 2006

Symantec’s US$13.5 bi- llion acquisition of Veritas and, more recently, EMC’s US$2.1 billion purchase of RSA Security, are just some of the many indications that storage and security are consolidating.

In fact, in the last two years we have seen several storage and security players converging in a bid to reinvent themselves, as the line that separates the storage and security markets continues to blur.

The actual integration of security and storage has been happening for some time, but it was only recently that the convergence started gaining momentum.

“We saw this shift, in the past, where a number of storage and security vendors came together and started either cooperating together — without being acquired — but they went to the market with some sort of reselling or OEM [original equipment manufacturer] partnership for approaching customers together,” notes Abdul Karim Riyaz, CA’s regional director for storage and protection in Europe, Middle East and Africa’s (EMEA) Eastern markets.

“We also saw certain acquisitions happening with companies coming together,” he adds. There are several key reasons why security is fast becoming an indispensable element of storage.

The widespread use of the internet and other web technologies, along with wireless and mobile access, for instance, all allow company data to be more readily available to third-party organisations, such as customers, partners and vendors.

If previously, their data was only accessible internally with very little traffic passing into the insecure outside world, now that web-based interactions are becoming more common, many of the companies’ internal applications and information are being opened up to, almost, anyone. Data protection

With their data no longer confined within their organisation’s perimeter, IT managers have come to realise that whatever security measures they had in place for their storage systems before should be considered compromised.

Storage now requires the same level of protection as other elements of the network.

For Jocelyn Al Adwani, chief technology officer of STME, the convergence of the two industries is something she expected.

“It is a natural progression. It is the way the industry is moving now. It is becoming more and more of a requirement for security to be embedded in with some of the storage solutions that are going out because, obviously, the data needs the protection. It needs to be safe from outside influences,” Al Adwani says.

“There have been quite a lot of incidents worldwide where data disappears. There has always been security on data that is being moved around the network, but in terms of wanting them stored, it has only been protected rather than actually secured from hackers.

There were no encryption [methods before], which is now a requirement.”

The tipping point that asserted the need for more robust storage security is the changing nature of the threat to organisations.

If before common security attacks consisted of distributed denial of service (DDOS)or the emergence of yet another Internet Explorer (IE) security vulnerability, these have given way to a more silent but much more dangerous activity, one that often compromises the personal information of thousands and sometimes millions of customers.

Yes, the target for many of these crimes is information itself, either for corporate espionage, large-scale identity theft or other types of fraud, with organised syndicates as the perpetrators of such activities.

“As the amount of data grew in the data centres and as we started seeing more and more creative hacking out there, there became a realisation that data not only had to be available — meaning you can access it any time you want, where you want — but also that data had to be secure.

“I think of it almost like the water supply. You want the water supply to be always available but you also do not want it to be contaminated.

“If you have water flowing in your tap but it is contaminated, then it is useless to you. At the same time, if you are overly protective of your water and you store it somewhere that is inaccessible because you are trying to protect it from contamination, well, you cannot get access to your water,” he adds.

Compliance and regulatory initiatives, such as Basel II and Sarbanes-Oxley, will keep the convergence momentum going, says Al Adwani, as companies are forced to adhere to stricter standards and be accountable for their data in ways that were previously inconceivable.

“A lot of legal compliance laws are actually enforcing companies to encrypt the data while it is at rest, especially in the financial industry,” she notes.

According to Riyaz, the emphasis being placed upon data protection has led businesses to re-evaluate their security and storage requirements. The result is a shift from point products to a more holistic approach to information management.

“One of the reasons that storage and security convergence is happening is that organisations and businesses have moved up one level from pure play protect and evaluation strategies to looking at risk management as a total. The larger interest of businesses was to protect data, and they are not looking at specific technology,” says Riyaz.

“We also saw the emergence of certain standards coming into place like ISO standards for risk management, and also a certain number of regulations coming in. All of them talked about data integrity, data availability, and data protection.”

“When you talk about data integrity in a larger perspective, we cannot split that into storage or security per se. We are talking about ensuring that the data that is available for businesses to make a decision is of good quality, is available, and is not compromised,” he continues.

“The compromise can happen from multiple areas. One can be from a security perspective, in terms of corruption of data through virus attacks and other kinds of malware. Similarly, the compromise of the data can happen due to backup or servers going down and the unavaila- bility of data.”

With the security and storage convergence trend well underway, Dajani says the morphed technology would be ideally suited to vertical markets including banking and finance, governments and telecommunications.

“These industries are, to some extent, being forced by the amount of growth, especially in our region here,” he explains.

“In general, telcos, banks, and government agencies are growing the fastest and they are adding more hardware, more software, and more applications very, very rapidly to their IT infrastructure.

“They are trying to reduce risk in the sense that they are making sure that their applications will remain running. They do not want their customers to lose confidence in them. With just a short amount of downtime, the impact to their business can be tremendous.

“They are trying to reduce risk by making sure that their applications are up and running because risk, in this case, is losing your customers. Having a bad reputation in the market is a tremendous risk,” Dajani says. Close integration

As the marriage of data storage and security in the industry becomes more common, Riyaz says it confirms the direction that CA established a number of years ago through the close integration of security and storage solutions.

“CA was one of the first companies to have storage and security as two distinct areas of technology within our portfolio. When we were in that kind of scenario, along with systems management and service management, other vendors were pure play, either storage or security,” Riyaz says.

“What we were able to give to the market initially, long before the other vendors, was to provi- de secure backup, which means that while data was being backed up we used to have our anti-virus technology within the actual backup cleaning the data. The reason for that being if you are backing up corrupted data; you are backing up data that is infested with viruses.

“If a disaster strikes and you need to restore the backups, you do not want the same corrupted data restored on your production systems. What you want is clean data.

“We were one of the first companies that provided this technology, wherein we were able to combine backup and security by ensuring that clean data get backed on in the production system. This was one of the first things,” Riyaz goes on to say.

“Now, we see the market moving in terms of this technology wherein we are talking about securing the storage environment. We also look at a number of new technologies in terms of bringing in identity and access management to storage topology to see who would get access to what kind of storage resources within the topology and ensuring that only authorised people get access to different topologies.”

CA’s converged storage and security approach revolves around the company’s enterprise IT management (EITM) strategy, its vision for unifying and simplifying management of IT across the enterprise. According to CA, EITM aims to streamline core IT disciplines, such as fault and change management, as well as eliminate “silos” that historically have limited an IT organisation’s ability to effectively manage disparate technologies.

“Businesses today run on a complex amalgamation of technologies ranging from 25-year-old legacy databases to state-of-the-art RFID systems,” says John Swainson, CA’s president and CEO, in a statement.

“As long as the management of those technologies remains fragmented, IT-related costs and vulnerabilities will be higher than necessary, and organisations will not realise the full economic value of their IT assets.

Under the EITM strategy, CA has released 26 EITM-enabled products that are tightly integrated through the CA Integration Platform, which provides a workflow engine, management database (MDB), shared policies and a consistent user interface to enable customers to integrate and orchestrate their technologies, people and processes to support their business goals.

Available as individual modules and integrated suite components, some of these products include CA’s BrightStor Storage Command Center and CA Ident- ity Manager.

“The four pillars that are supporting the EITM strategy are managing cost, managing risk, improving service and aligning IT investments. What we are looking into our portfolio of products is to see if we have all the different technologies under enterprise management, storage management, security management, and service management that will help our customers address these four issues of managing cost and risk, improving services, and aligning IT investments,” Riyaz says.

According to Riyaz, a big part of the EITM approach is to identify gaps in CA’s portfolio and address those gaps either by developing the technologies needed or sourcing them externally through acquisitions.

One such purchase was that of XOsoft, a data replication and recovery specialist, which CA purchased last July. The addition of XOsoft, Riyaz says, will flesh out CA’s BrightStor ARCserve Backup product line.

“The acquisition of XOsoft provides CA with the capability to deliver the combination of traditional backup and advanced recovery management technologies necessary by offering several data protection options to its enterprise customers,” states Brian Babineau, analyst with the Enterprise Strategy Group (ESG).

In addition, with the acquisition of iLumin last year, CA is stepping up its presence in the e-mail archiving space, an area which, according to Gartner, is expected to be a US$883 million market by 2009.

The ILM factor

Similarly, CA’s purchase of MDY, a records management software provider, puts the company head to head with big guns like EMC and IBM in the information lifecycle management (ILM) market.

Symantec formally entered the storage market with its acquisition of Veritas last year.

The deal, which was one of the biggest in recent years, puts Symantec as a powerhouse in the backup, recovery and archiving software space, says Dajani.

“The Symantec and Veritas merger, being probably the largest that I am aware of in the market, combines a leader in data security (Symantec) and a leader in data protection and availability (Veritas),” he adds.

“Together we have something, which we call information integrity, where we know the information is available when you want it but it is also secure. This is where we are now and this is what Symantec is driving today.”

“Customers want a single place to go for critical applications such as e-mail. Symantec also claims market leadership in each category [related to e-mail]. Additionally, Symantec notes that the large security players, such as Trend Micro, CA and Network Associates, do not stretch into the storage space, while the backup and recovery, storage management and e-mail archiving specialists, such as EMC and IBM, do not have the security domain expertise.”

Symantec’s information integrity strategy is nothing new, but simply a re-statement of concepts that it has been focusing on for some time. At its core is the idea that for information to be useful to an enterprise, it must be both highly available and secure. If either condition is not met, the data is useless.

For Symantec, information integrity can be delivered via the close integration of vulnerability assessment, attack prevention, threat mitigation, and disaster recovery.

It says information integrity goes beyond the protection of systems against viruses and software vulnerabilities, but requires an integrated approach to have solutions that both protect and manage system architectures and the information within those systems.

“Companies are looking at IT in a different way. They are looking at IT risk management as their main focus. Their goal is to reduce cost and reduce complexities. So how do they do that?” asks Dajani.

“What we tell our customers is that we can do that by our method of standardisation. We tell our customers that we want to standardise their infrastructure, their abilities, and their tools to access the data.

“That way, whether it is Oracle on Solaris or it is Microsoft SQL Server running on Windows, they are using the same tools to protect and secure their data and to ensure that their applications are always up and running.”

Furthermore, the company is fusing together different products in its portfolio to make it easier for companies to protect their networks with fewer potential points of failure, Dajani says.

“We are actually doing two things. On one hand, we are combining products together into one interface, one GUI [graphical user interface]. Several products are now joined together and installed together under one GUI. In other cases, we are offering solutions where products work together,” he says.

He adds, however, that not all products are joined together because there is no need to do so.

“Our products are not all integrated together because some customers, and this is done on purpose — by design — want to try other companies for other technologies. We offer custom- ers flexibility, that they do not get locked in to Symantec, that they can make decisions. Hopefully, they do invest on Symantec technologies end to end but we give them an option if they only want to, say, invest in one slice of the pie of Symantec that is available to them,” Dajani elaborates.

“This kind of approach we are following is we are trying to combine both security products together, combine availability products together, combine security and availability products together, either as a unified product or a point product collected together,” he goes on to say. SNIA standards

Contrary to the hype, HP is tackling storage and security consolidation in a different way. While the plan going forward is to grow its storage business in three areas — ILM, storage grids, and data protection products and services — the company aims to do this by aligning its solutions with the standards defined by SNIA (Storage Networking Industry Association).

“From an HP standpoint, we are following the standards based on SNIA standards, which is a global standardisation on the storage technology itself. It is about having an open standard platform that can be integrated with whatever the customer needs. It might be storage management, security, compliance, or integration,” says Ashraf Helmy, StorageWorks product marketing manager, HP Middle East.

“Our strategy for the storage division is to build a platform that is an open system rather than integrating security solutions, which is a proprietary solution,” he states.

Helmy claims that SNIA compliance is the surest way to achieve interoperability across different platforms and solutions. HP, he says, makes sure that most solutions offered by third-party security vendors are integrated with their storage offerings.

“We have a certification with more than one security company, which enables the customer to utilise the total solution if he needs security over the storage.

“From a security point of view, storage, by itself, if configured properly and delivered properly does not need such high security. What needs security is the data. The data comes from either the internal servers or the external access.

“There are multiple levels of security layers before the data can be written in the storage array, such as the security on the server, the application, the database, the SAN [storage area network] infrastructure, and on the storage access, which HP feels is enough for some customers,” Helmy elaborates. Instead of focusing on acquisitions, Helmy says that HP’s main enabler in the storage space is the integration of its products and services.

“By integrating our products and services, I believe it is one of the best forms of service delivery in the IT industry. Integrating our products with any partner solution to meet the customer’s requirements in various areas, starting from a turnkey solution, a data centre, a service-oriented architecture [SOA], allows our customers greater flexibility and ensures a true open standard platform, which can be used for whatever the customer needs or whatever implementation he wants,” adds Helmy.

Consolidation

From a channel perspective, the ongoing consolidation gives local partners a chance to expand their market and for STME a chance to venture into new business opportunities, says Al Adwani.

“In 2007, we will be focusing more on the security side, which means hiring some more security-focused employees, so that we will have a more in-depth knowledge on the security side of things. We are still very much looking around the protection of the data and the information side of things, rather than network or security, anti-virus,” she reveals. “E-mail archiving is the main one we are focusing on at the moment.”

“I think, for the customers, they are quite excited about it. It means that they can reduce the number of different partners they are working with and they get a more integrated solution. Therefore, they do not need someone providing them on the security side and someone else providing them on the storage side, and then having these two areas integrated or looking for someone that can do the integration, because now security and storage comes in the form of a packaged solution. It is actually easier for them to implement it,” Al Adwani says.

She believes the acquisition spree happening in the storage and security space is nowhere near its end, especially since vendors on both sides are in the midst of plugging the gaps to complete their product portfolios.

“It seems to be that every week there is a new acquisition. So, every time I think it [acquisition] stops there is another purchase being made.

“I think it will continue because these companies are trying to provide a very rounded or encompassing solution, and so any time there is a gap and they find an up and coming company that has the technology they would acquire that,” Al Adwani notes.

“I think gaps in the overall solutions that are required by organisations today will continue to push vendors into M&As [mergers and acquisitions].

“A lot of it is being pushed by compliance regulations and new business opportunities and the type of solutions that customers require now tend to be more encompassing rather than point solutions and therefore they need to be able to cover a wider range of the enterprise that enable more integration with the different solutions,” Al Adwani concludes.

“I think of it almost like the water supply. You want the water supply to be always available but you also do not want it to be contaminated.”

“If a disaster strikes and you need to restore the backups, you do not want the same corrupted data restored on your production systems.”

“It seems to be that every week there is a new acquisition. So, every time I think it [acquisition] stops there is another purchase being made.”